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ABSTRACT 



A method, and associated apparatus, for accessing a private 
IP network with a wireless host by way of a wireless access 
network. Once authenticated and permitted access to the 
private IP network, the wireless host becomes a virtual host 
of the private IP network. A wireless host identifier (WHI) 
is used to identify the wireless host. Permission to commu- 
nicate by way of wireless access network is confirmed by an 
authentication procedure. The W^I is thereafter provided to 
the private IP network. If the WHI is of a selected value, 
permission to access the private IP network is granted. An IP 
address used to address data to the wireless host is allocated 
by the private IP network once access to the private IP 
network is granted. 

24 Claims, 2 Drawing Sheets 
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SECURE ACCESS METHOD, AND communication systems. For instance, it is possible for a 

ASSOCIATED APPARATUS, FOR terminal device, such as a portable computer, to be coupled 

ACCESSING A PRIVATE IP NETWORK by way of a radio Unk to network infrastructure of a radio 

communication system and, in turn, by way of a network 
The present invention relates generally to communica- s connection to an Internet-connected, network device. The 
tions between a wireless host and a network-located device. terminal device forms a wireless host to the Internet- 
More particularly, the present invention relates to a method, connected network device as a physical, such as a hard- 
and associated apparatus, for permitting the wireless host wired, link is not formed with the terminal device, 
access to a private data communication network, such as a a private IP network is formed of a group of network 
private IP network. lO devices, connected together by way of network connections. 
In an embodiment in which the private data communi- but to which access to the network is limited. Increasing 
cation network is formed of a private IP network, the private numbers of private IP networks are being created and access 
IP network is coupled to a wireless access network formed thereto by a wireless host is increasingly demanded. Increas- 
of the network infrastructure of a radio communication jng numbers of other data communication networks are 
system, such as a ceUular communication system. Once the 35 being created and access thereto by a wireless host is 
wireless host is permitted access to the private IP network, increasingly demanded. 

an IP address is assigned to the wireless host by the private ^^^^^ limited-access nature of a private network. 

IP network. Infonnauon accessed at the private IP network jhere is a need to insure that the wireless host is authorized 

IS addicted to the wireless host using the IP address ,„ ^^^^ ^vate network. And, if the wireless host is 
assigned by the private IP network. 20 authorized to access the private network, there is a corre- 

A request by the wuel^ host to access the private IP ^ ^^^j j„ -^^^^ ^^,3, ^^^^^ ^^3, , 

network by the wireless host is transmitted fiist to the receives an acceptable level of access to the private network, 

wireless access network. An authentication procedure is ^ ^,^1^^ ^^^j ^j,^^^ ,^^3,^^ ^ ^ ^j^^, 

performed to confirm that the wireless host is permitted to ^^^^ j^e level of access to the private network as that 

communicate by way of the wireless access network. If the 25 gi^en to a host physically coupled to such network, 

wireless host is authenhcated, a wireless host identity _ 

(WHI), which identifies the wireless host is forwarded to the . ^.'^""f «'"P'^5 °^ * '^"^'^^ '° 1 "fT"* 

private IP network. The wireless host is permitted to access dev«ce of a private data communication network mcludes a 

the private IP network if the WHI identifies a wireless host ^ "^^^ must be identified by an address 

permitted to access the private IP network. The private IP 30 ^ communicated thereto. In some easting 

network then allocates an IP address to the wireless host. coi™ii°^<:aUon systems m which a wireless host is able to 

The IP address is used to address data to the wireless host. <:"w«te with a network device, the address oUhe 

A simple and efficient manner by which to access a J ^^dess . ^o^t isdynamicaUv aUocatsd. T hat is to say, e.g., m 

private IP, or other data communication, network is pro- "n embodmient m which the pnvate data commumcahon 

vided. A WHI is used to identify the wireless host in the 35 ^""^^^ ? P"^?'" IP.jepvor^ rather than 

wireless access network and at the private IPnetwork. When assigmng a p^manenUPjddg^tp.lhe.^ 

the WHI is stored at the wireless access networic. and does ten^orao^Pjdd^e^a^a^^^ to 

not have to be sent to the wireless access network infra- be comm«^ dynamic IP 

structure over an air interface. And, if the wireless host is ^adEE^aUscaUAn.is.exem 

permitted to access the private IP network, an IP address is 40 whjchdyjasi^UyJ^^ 

assigned to the wireless host by the private IP network. The f° '° ^J^^^l^ " ^""^^ "!f '^f ^!"^ 

IP address can be dvnamicallv allocated to the wireless ^^S (Domam Name System) name is aUocated. A 

; and a separate IP address need not be permanentL vIllocated . "^'^'^ ^ ^y^^^^"" "T'' ^''^'^'"^ for wireless hosts 

"To the wreless host " " and other devices connected to an IP network. 

, , One manner by which a wireless host can access a private 

BACKGROUND OF THE INVENTION « ip network is to utilize a dial-out comiection from the 

Advancements in communication technologies have per- wireless host to the private IP network. Once a switched 

mitted significant improvements in the manners by which connection is formed, the wireless host is identified with a 

data can be communicated between a sending and a receiv- password. 

ing station. 5^ Another manner by which a wireless host is sometimes 

For instance, in radio communications, advancements in able to access the private IP network is through the use of an 

digital communication techniques has permitted the intro- authenticated tunnel. The wireless host is connected to the 

duclion of, and popularization of, new types of communi- private IP network by way of the authenticated timnel, and 

cation systems. For example, cellular communication sys- the wireless host is authenticated at the private IP network 

tems which utilize digital communication technologies have 55 with an identity and a password. Such a tunneling method is 

been installed in many areas and are widely utilized. sometimes referred to as "layer two tuimeling." A PPTP 

Advancements in communication technologies have also system developed by MicroSofl Corporation, an L2F system 

facilitated the decentralization of computer systems. Pro- developed by Sysco Systems, and an L2TP system devel- 

cessing devices can be distributed at separate locations and oped by IETF are related to tunneling PPP. 

connected together by network connections. Network con- eo The existing manners by which a wireless host accesses a 

nections between distributed processing devices and com- private IP, or other data communication, network requires 

munications therebetween have precipitated, for instance, significant amounts of protocol overhead. As in any 

the advent of and wide availability of IP networks, such as band width -limited communication system, protocol over- 

the Internet. Other private data communication networks head is width -consumptive. 

have similarly been fonmed. 55 when the wireless host accesses the private network by 

The advancements in commimication technologies have way of the network infrastructure of a cellular commimica- 

also permitted the merging of radio and network-connected tion system, portions of the network infrastructure function 
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as a wireless access network. When, c. g .^the priva tcd^ 
communication network forms a private IP aetwork».twoJR 
addresses arc required to permit communic ations between 
'Ihe wirek^^psLaDd^ c pnyat^^ A first IP 

address is required at the wireless access network formed of 
the portion of the network infrastructure, and a second IP 
address is required at the private IP network. TTiereby, the 
wireless host is required to belong to two networks, i.e., .the 
access IP ne twprk^and„tbe^priyatcJP, network. 

As a result, two IP addresses must be allocated to the 
wireless host. If DNS is used in the two networks, it would 
also be necessary to allocate DNS names in both networks. 

The layer two tunneling method requires formation of a 
protocol stack having three extra layers, the PPP layer, a 
layer two tunneling layer, and a basic IP layer. The protocol 
overhead resulting from such additional protocol layers is 
bandwidth -consumptive. Such a requirement is generally 
undesirable in a bandwidth-limited system. 

Some wireless hosts are additionally capable of commu- 
nicating packet data by way of circuit-switched as well as 
packet-switched connections. A GSM (Global System for 
Mobile communications) cellular communication system is 
exemplary of a cellular communication system which per- 
mits wireless hosts operable therein to communicate packet 
data by way of packet-switched and also circuit-switched 
cormections. It would be advantageous to provide a manner 
by which to permit access of the wireless host to a private 
IP, or other data communication, network using the same 
access procedure irrespective of the type of data which is to 
be communicated therebetween. 

In conventional manners by which to provide access of a 
wireless host to, e.g., a private IP network, dial-up connec- 
tions are made directly to the private IP network. That 
connection may be made, for instance, to a remote access 
server of the private IP network. Telephonic charges asso- 
ciated with the dial-up connection can be significant. For 
instance, a long-distance toll might be charged to form the 
dial-up connection if an inter- LATA switched connection, or 
the like, is required between the network infrastructure of 
the cellular communication system and the private IP net- 
work. It would, of course, be desirable for the wireless host 
instead to be able to access a wireless access network as 
close as possible to the location at which the wireless host 
is positioned and thereafter to utilize IP transmission 
between the wireless access network and the private IP 
network. 

A manner by which better to permit access of a wireless 
host to access a private data communication network to 
communicate packet data therebetween would be advanta- 
geous. 

It is in light of this background infonnation related to 
access of a wireless host and to a private IP network that the 
significant improvements of the present invention have 
evolved. 

SUMMARY OF THE INVENTION 
The present invention advantageously provides a method, 
and associated apparatus, for permitting a wireless host 
access to a private data communication network, such as a 
private IP nietwork. The present invention further advanta- 
geously provides a method, and associated apparatus, once 
access is granted to the private network, for dvjoamical lv 
allocating a temporary address to the wireless host. The 
dynamically-allocated address is used to address data which 
_is to be communicated to the wireless host. 

In one aspect of the present invention, the wireless host is 
coupled by way of an air interface to the network infrastruc- 
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ture of a PLMN (Public Land Mobile Network), such as a 
GSM network. The PLMN is, in turn, coupled to a private 
IP network. The network infrastructure forms thereby a 
wireless access network. When the wireless host requests 
access to the private IP network, communications are first 
authenticated at the wireless access network formed of the 
network infrastructure of the PLMN. An authentication 
procedure is performed to confirm that communications are 
permitted by way of the wireless access network. If the 
authentication procedure confirms that such commimica- 
tions are permitted, a wireless host identity (WHI), previ- 
ously stored at the wireless access networic and which 
identifies the wireless host, is forwarded to the private IP 
network. The private IP network permits access to the 
wireless host if the wireless host identity provided thereto 
corresponds with the identity of a wireless host permitted to 
access the private IP network. An IP address is allocated to 
the wireless host by the private IP network. Such IP address 
is used to address data communicated to the wireless host. 
The IP address can be a dynamically-allocated address, usedT 
for a selected period to identify temporarily the wireless / 
host. ^ 

Thereby, the wireless host is not required to have a"7 
separate IP identity to access a wireless access network. | 
Instead, a wireless host identity stored at the wireless ac'c^sS"^^ 
network formed of the infirastnicture of the PLMN is used to 
identify the wireless host at the private IP network. The 
wireless host identity may be provided e.g., as subscription 
data in the wireless access network. The wireless host 
identity is selected, e.g., by the operator of the private IP 
network, and the wireless host identity is provided to, and 
stored at, the network infi-astructure of the PLMN pursuant 
to agreement between the operator of the private IP network 
and the operator of the PLMN. 

Once provided access to the private IP network, an IP 
address for the wireless host is provided by the private IP 
network and not the PLMN. The wireless host is permitted 
to become a virtual host of the private IP network thus 
ensuring that the user and host environment, including 
seciu-ity and firewalls, of the private IP network, shall 
similarly apply to the wireless host. IP tunneling is used 
between the PLMN and the private IP network. The IP 
tunnel can be secured by either by an authentication process 
or by arranging for secure transmissions by arrangements 
between the operators of the PLMN and the private IP 
network. The tunnel authentication keys maybe stored 
together with the WHI at the HLR, the SIM card, or at the 
wireless host to provide secure transmission of the wireless 
host identity as well as other data. The tunneling, however, 
does not extend to the air interface. Instead, air-interface- 
specific, transmission protocols are used to communicate 
datagrams between the wireless host and the network infra- 
structure of the PLMN. 

In these and other aspects, therefore, a secured-access 
method, and associated apparatus for implementing the 
method, accesses a private data communication network by 
a remote communication station. Once provided access, data 
is communicated between the private data communication 
network and the remote communication station. The private 
data communication network is coupled to the network 
infrastructure of the radio communication system. A remote 
communication station identity is stored at the network 
infrastructure of the radio communication system. A regis- 
tration request is generated by the remote communication 
station for requesting registration of the remote communi- 
cation station to access the network infrastructure to permit 
the communication of data therethrough. The registration 
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request is detected at the network infrastructure. The remote 
communication station is authenticated to confirm authori- 
zation of the remote communication station to communicate 
by way of the network infrastructure. A network- access 
request is forwarded to the private data communication 
network if the remote communication station is authenti- 
cated wherein the remote communication station is identi- 
fied by the remote communication station identity. A deter- 
mination is made, responsive to the network-access request, 
whether the remote communication station is permitted to 
access the private data communication network. And, the 
remote communication station is permitted to access the 
private data communication network if the remote commu- 
nication station is determined to be permitted to access the 
private network. Subsequent to grant of permission to access 
the private data communication network, an address, such as 
a temporary address, can be assigned to the wireless host. 

A more complete appreciation of the present invention 
and the scope thereof can be obtained from the accompa- 
nying drawings which are briefly summarized below, the 
following detailed description of the presently-preferred 
embodiments of the invention, and the appended claims. 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 illustrates a functional block diagram of a com- 
munication system in which an embodiment of the present 
invention is operable. 

FIG. 2 illustrates a logical, functional block diagram 
illustrating the routing of data communicated between a 
wireless host and a private IP network. 

FIG. 3 illustrates a functional block diagram of a private 
IP network which includes an embodiment of the present 
invention for allocating an address by which to address data 
communicated to a wireless host. 

FIG. 4 illustrates a logical flow diagram illustrating the 
method steps of the method of an embodiment of the present 
invention. 

DETAILED DESCRIPTION 

Referring first to FIG. 1, a communication system, shown 
generally at 10, permits the communication of data between 
a remote communication station 12 and a private IP network 
14. The private IP network 14 here forms a private intranet 
to which access is selectively permitted. When the remote 
communication station 12 is permitted access to the private 
IP network 14, data can be communicated therebetween. In 
one embodiment, packet data is communicated between the 
remote communication station 12 and the private IP network 
14, While a private IP network is shown in the exemplary 
embodiment illustrated in the figure, in other embodiments, 
access to other types of private data communication net- 
works can analogously be effectuated through operation of 
an embodiment of the present invention. Therefore, while 
the follovmg description shall be described with respect to 
a private IP network 14, it should be understood that the 
present invention is also operable to permit access to other 
data communication networks. 

In the exemplary embodiment iUustrated in the figure, the 
communication system 10 is formed of a GSM (Global 
System for Mobile communications) cellular communica- 
tion system of which the network infrastructure thereof 
forms a wireless access network to which the private IP 
network 14 is coupled. In other embodiments, the commu- 
nication system 10 is alternately formed of other structure. 

The radio communication station 10 includes a radio 
transceiver, here a GSM mobile terminal 16. The mobile 
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terminal 16 includes a SIM (Subscriber Identity Module) 
card 18 which is inserted into, or is otherwise connected, 
here indicated by the lines 22, to the mobile terminal 16. 
The SIM card 18 includes a storage location 24 for storing 
5 authentication information, in conventional manner. The 
SIM card 18 further includes a storage location 26 for 
storing the address of the private IF network 14. In one 
embodiment of the present invention, the SIM card further 
includes a storage location 28 for storing a WHI (Wireless 

jQ Host Identifier), Other subscriber data can additionally be 
stored at other storage locations of the SIM card 18. 

The mobile terminal 16 is coupled to a wireless host 32, 
here by way of lines 34. The wireless 32, in one 
embodiment, forms a portable computer capable of receiv- 
ing data communicated thereto by a network device of the 
private IP network 14, The wireless host 32 may alternately 
be coupled to the mobile terminal 16 by a contactless 
coupler, e,g., an infrared coupler. In one embodiment of the 
present invention, the wireless host 32 includes storage 
locations 36, 38, and 42 for storing data similar to that stored 
at the storage locations 24, 26, and 28, Namely, in such an 
embodiment, authentication information, the address of the 
private IP address 14, and the value of the WHI are stored 
at the storage locations 36-42, respectively. In the exem- 
plary embodiment illustrated in the figure, such information 
is redundantly stored at the storage locations of both the SIM 
card 18 and the wireless host 32. In other embodiments, 
merely the authentication information is stored at one of the 
storage locations 24 or 36. 

The network infrastructure of the communication system 
10 forms a wireless access network which is coupled to the 
private IP network 14 by way of a backbone network 46. The 
wireless access network formed of the network infrastruc- 
ture of the GSM system is here shown to include a BTS 

J J (Base Transceiver Station) 52. The BTS 52 is operable to 
generate downlink signals 54 and to receive uplink signals 
56 upon an air interface formed of radio links between the 
remote communication station and the BTS 52. 

In the embodiment in which portions of the commimica- 
tion system 10 are formed of a structure of a GSM com- 
munication system, such structure, as well as the air inter- 
face formed between the remote communication station 12 

' and the BTS 52 are defined by the specification standards of 
the GSM system. 

45 Groups of BTSs, of which a single BTS 52 is shown in the 
figure, are coupled by way of lines 58 to a BSC (Base Station 
Controller) 62. The BSC 62 is operable, inter alia, to control 
operation of the BTSs coupled thereto. The BSC 62 is 
further coupled, here by way of lines 64, to a MSCAH^-R 

50 (Mobile Switching CenterAlsited Location Register) 66. 
The MSC/VLR 66 is operable in conventional manner to 
form appropriate connections to form a communication path 
between the BSC 62 and a PSTN (Public-Switched Tele- 
phonic Network) 68 by way of lines 72. 

55 The MSCAT-R 66 is further coupled, by way of lines 74, 
to an HLR (Home Location Register) 76. The HLR 76 
includes an authentication center (not separately shown) at. 
which, inter alia, an IMSI (International Mobile Subscriber 
Identity) and a value of a pseudo-random number are stored, 

60 Such values are utilized during authentication procedures 
used to confirm the authenticity of the remote communica- 
tion station. 

In an embodiment of the present invention, a value of 
WHI associated with the wireless host 32 is also stored at the 
65 HLR 76. And, in another embodiment of the present 
invention, an address associated with the private IP network 
14 is also stored at the HLR 76. 
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Both the BSC 62 and the HLR 76 are further coupled to private IP network, the wireless host 32, when permitted 

a SGSN (Serving GPRS Support Node) 82. The BSC 62 is access to the private IP network, becomes a virtual host of 

coupled to the SGSN 82 by way of lines 84. And, the HLR the network 14. The user and host environment of the 

76 is coupled to the SGSN 82 by way of lines 86. The SGSN network 14, including security and firewalls of the network 

82 is further coupled to the backbone network 46 by way of 5 apply also to the wireless host 32. 

lines 88. Thereby, the SGSN 82 is coupled to the private IP Access of the wireless host 32 to others of the networks, 

network 14. such as the HIPNs 96, 102, and 106, can analogously be 

The private IP network 14 here forms an HIPN (Home effectuated. 

Intelligent Peripheral Network), here shown to include a i? t'^x^o^''^^^/ ^ 

GGSN (Gateway GPRS Support Node) 92 and a home IP lO performed between the SGSN 82 and the GGSN 92 over the 

access control network 94. Additional details of the HIPN ^^""^^ ''T^'a. ul ^""^"^l "^"^'^ tr^ission of the 

f „• • * Tn *_ 1 i>i u 11 L J L J u 1 WHI, and Other data, between the pnvate IP network 14 and 

formmg the private IP network 14 shall be described below , ^ , ^ c j r .u * i • r 

*th r t Pir the wireless access network formed of the network mfra- 

witn respect to MU. J. structure. Such authenticated tunneling is performed as the 

The backbone network 46 is further coupled to additional backbone network 46 might be shared by many different 

IP networks, such as the IP network 96. operators and security of the backbone can not be assured. 

The backbone network 46 is further shown to be coupled For instance, if the HIPN 106 is to be accessed, data is routed 

by way of a GGSN 98 to another IP network forming another by way of a public Internet 108. The authenticated IP 

HIPN, here HIPN 102, by way of an Internet connection tunneling is performed to authenticate traffic, i.e., commu- 

104. And, the backbone network 46 is also coupled to an nication of data, between the SGSN 82 and the GGSN 92. 

additional private IP network, forming an additional HIPN Authenticating the traffic routed over the backbone ensures 

106 by way of an Internet connection 108. Such additional the validity of the value of the WHI when the value is 

HIPNs 96, 102, and 106 are exemplary and are shown to received at the GGSN 92. When, e.g., the HIPN 102 is 

illustrate manners by which private IP networks can be instead to be accessed, the transmission over the Internet 104 

coupled to a wireless access network such as the network similarly is authenticated by an authentication procedure, 

infrastructure of the GSM system shown in the figure. In one embodiment, the GGSN 92 includes an access 

During operation, when an operator of the wireless host control mechanism to ensure that only values of wanted- 

32 desires to access the private IP network 14, appropriate WHIs are permitted to gain access to the private IP network, 

commands are generated at the wireless host to initiate a A list of wanted-WHls is stored at the access control 

request for access to the private IP network 14. Signals 3Q mechanism of the GGSN 92. And, a WHI authentication 

indicative of such request are provided to the mobile termi- procedure may further be performed to increase further the 

nal 16, and the mobile terminal 16 generates a request over security level and minimize the possibility of erroneous 

the air interface as an uplink signal 56 communicated to the access to the private IP network responsive to WHI admin- 

BTS 52. In a GSM communication system, an attach pro- istration mistakes. While not separately shown in FIG. 1, the 

cedure is initiated. The BTS 52 forwards the request through 35 SGSN 82 and the GGSN 92 are protected by firewalls 

the BSC 62 to the MSCAH^R 66. positioned towards the backbone network 46. 

The IMSl and pseudo-random number of values are Within the private IP network 14, standard, HIPN security 

retrieved from the HLR 76 and an authentication procedure procedures, such as e.g., firewalls and passwords, are used, 

is carried out. While details of the authentication procedure Thereby, the wireless host 32, once access to the private IP 

carried out in a GSM communication system can be found 40 network is permitted, is provided with the same environment 

in the specification standards of the GSM system, in general, and security level as any other host connected directly to the 

the authentication procedure authenticates, i.e., confirms, network 14. 

that the mobile terminal 16 is permitted to communicate by FIG. 2 illustrates the logical arrangement of portions of 

way of the network infrastructure forming the wireless . the commtmication system 10 shown in FIG. 1. Again, 

access network. Once the authentication procedure is sue- 45 during operation of an embodiment of the present invention, 

cessfully completed, i.e., the mobile terminal 16 is con- a wireless host, here the wireless host 32, is selectively 

firmed to be an authentic terminal which is permitted to permitted to access the private IP network, here again shown 

communicate by way of the wireless access network formed to form an HIPN, 14. 

of the network infrastructure, a value of the WHI associated When the wireless host 32 is to gain access to the private 

with the wireless host is forwarded to the private IP network 50 IP network 14, the mobile terminal 16 generates an attach 

1^* request to attach to the wireless access network formed of 

In one embodiment, when the WHI is stored at the HLR the network infrastructure of the GSM system. The attach- 

76, the value stored thereat is provided by way of the line 86 ment procedure is performed pursuant to the SGSN 82 when 

to the SGSN 82, through the backbone 46 and to the private using packet-switched circuit connections. And, the attach 

IP network 14. The WHI stored at the HLR is forwarded to 55 procedure is performed pursuant to the MSCA^R 66 when 

the SGSN 82 if the authentication procedure confirms the circuit-switched circuit connections are used, 

authenticity of the mobile terminal 16. Thereby, the value of During the attach procedure, the values of the IMSI, the 

the WHI is authenticated by the authentication procedure WHI, and other associated subscriber data is downloaded 

performed by the wireless access network. Storage of the from the HLR 76 to the appropriate one of the MSC/VLR 66 

WHI at the HLR 76, or at another portion of the wireless 60 and SGSN 82. The other appropriate subscriber data 

access network, requires an agreement between an operator includes the address of the private IP network 14. Addresses 

of the private IP network 14 and the operator of the wireless of additional private IP networks, such as the HIPN 96, 102, 

access network for the secure storage of the value of the and 106 (shown in FIG. 1) may also be downloaded to 

WHI at the wireless access network. A separate IP address permit alternate, or second-choice access to an alternate IP 

or DNS (Domain Name Service) name is provided only at 65 network. The HIPN address identifying the private IP net- 

the private IP network 14, and not elsewhere. Thereby, work 14, in one embodiment, is the address of the GGSN, 

because the IP address and DNS name is provided at the such as the GGSN 92 of the private IP network 14, 
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Thereafter, the mobile terminal 16 generates a "PDP 126 and 128, which are connected to an Internet 132 and an 
routing context activation request" to the SGSN 82 or an intranet 134, respectively. The routers 124-128 are con- 
access to the MSCAHJl 66, as appropriate. The access to the nected by way of a local area network (LAN) 138 to which 
MSCyVLR 66 is performed, for instance, by placing a call a DHCP (Dynamic Host Configuration Profile) device 142 
originated at the mobile terminal. Alternatively, standard- 5 and a DNS (Domain Name Service) device 144 are also 
izalioa of additional protocol over the air interface to coupled. Other, optional application servers, of which the 
explicitly indicate that the MSCA^LR should be accessed server 146 is representative, are also shown in the figure, 
can be made. also connected to the LAN 138. And, wireless hosts 148, 

Pursuant to the activation request to the SGSN 82 or the directly coupled to the private IP network 14 are further 

access to the MSCAT-R 66, an indication of which HIPN is lO pictured in the figure in connection with the LAN 138. 

to be accessed is further provided to the SGSN or MSG/ The DHCP 142 is operable to allocate addresses to 

VLR, as appropriate. The mobile terminal 16 indicates, for wireless hosts, such as the wireless host 32. A WHI value is 

instance, that the private IP network identified by the HIPN used as a wireless host address at the DHCP 142. The DNS 

address stored at the HLR is the address of the private IP 144 is operable to store names of the wireless hosts, such as 

network which is to be accessed. Alternatively, the mobile 35 the wireless host 32. The value of the WHI is used as a 

terminal 16 can itself provide the address of the private IP primary name at the DNS 144, and other secondary names 

network which is to be accessed. Or, a default address can can also be stored in conjunction with the WHI. Exemplary, 

be used to identify the private IP network which is to be DNS names include, for instance, 

accessed. WHI 2445 01 2345 6789@org .country ; 

The appropriate one of the SGSN 82 and the MSCA^LR ^0 MSISDN46705 12345 6 7@org. country; and 

66 analyzes the value of the IMSI provided thereto and myhost@org.country. 

determines the address of the default, private IP network if The value of the WHI can be advantageously utilized 

the address is not otherwise provided thereto. because such value is a secure, wireless-network-provided 

The appropriate one of the SGSN 82 and MSC/VLR 66 identity which unambiguously identifies the wireless sub- 
generates a "create PDP context" command which is scription used at the wireless host. By storing the value of 
forwarded, by way of the backbone network 46 to the GGSN the WHI as subscriber data at the HLR 76 (shown in FIG. 1), 
92, when the private IP network 14 is to be accessed, or Ih^ value of the WHI is stored with an appropriate level of 
another GGSN when another network is, instead, to be security. As the wireless host accessing the GSM network is 
accessed. The "create PDP context" command includes the authenticated prior to receiving permission to use the WHI 
WHI of the wireless host, and such value is used as the host stored thereat, no separate log-in is needed to access the 
identity at the HIPN forming the private IP network 14. private IP network 14. 

FIG. 2 further illustrates a wireless host 112 which is Transmission between the private IP network 14 and the 

connectable to another WAR (Wireless Access Router) 114 wireless access router 124 must be secure. To ensure security 

by way of a radio link. And, the WAR 114 is coupled to the of Ihe transmission, the wireless host router 124 and the 

backbone network 46. The wireless host 112 is exemplary of wireless access router forming a portion of the GSM, the 

another device to which access might be permitted to the IP wireless access network stores the address and authentica- 

network 14. tion information about the respective routers between which 

HG. 3 illustrates a logical model of the private IP network communication is permitted. Such measures ensure that a 

14, formed of an HIPN, shown previously in HGS, 1 and 2. 40 ^rnving at the wireless host router 124 is secure and 

The HIPN formed of the network 14 provides services and correct. If necessary, transmission between the routers may 

a user environment including the following: a DHCP encrypted to provide greater assurances of data confi- 

(Dynamic Host Configuration Profile) service, a DNS dentiality and reliability. Optionally, an authentication pro- 

(Domain Name Service) service, a news service, a mail ^edure at the WHR 124 may be associated to the WHI, thus 

service, a log-in service, an NTP service, a WWW (Worid 45 Protecting the IP network from mistakes made in the WHI 

Wide Web) service, other application servers, connection to administration. 

an Internet, connections to intranets, connection to a back- WHI and an authentication key may also be received from 

bone network, and firewalls at each interface to which the wireless host 32, and authentication procedures can 

connection is made to another network. additionally be performed at the private IP network prior to 

Access to a private IP network by the wireless host 32 50 griming of permission of the wireless host 32 to access the 

provides vertical services and access to the home organiza- pnvate IP network. 

tion of a mobile terminal. In such a scenario, the private IP Access attempts without a valid WHI are rejected by the 

network is part of the private network of a service provider. GGSN. And, valid WHIs must be preconfigured in the WHR 

A public IP network provides pubUc Internet services. If, 124 as well as the DHCP 142 and DNS 144. The DHCP 142 

instead, a public IP network is accessed, the public IP 55 updates the DNS 144 with the allocated IP address used to 

network is situated at an Internet service provider at either address data to be communicated to the wireless host, 

a home or a visited, PLMN (Public Land Mobile Network), While the private IP network 14 shown in FIG. 3 illus- 

provided by its operator or a dedicated Internet service trates only a single LAN 138, the network can, instead, be 

provider. implemeiited on several physical LANs or implemented on 

With reference, then, to FIG. 3, the HIPN forming the 60 a single platform without a physical LAN. When WHRs 

private IP network 14 is again shown to be coupled to the analogous to the WHR 124 are present at several physical 

backbone network 46. A WHR (Wireless Host Router) 124 locations, each WHR is considered as a subnetwork 

which also functions as a firewall is coupled to the backbone (SHIPN) of the HIPN forming the private IP network. In 

network 46. The WHR 124 is formed of a router having such an arrangement, each SHIPN is able to commimicate 

special support for selectively permitting a wireless host, 65 with another SHIPN by way of a backbone network, 

such as the wireless host 32, to become a virtual host of the FIG. 4 illustrates the method, shown generally at 152, of 

network. The network 14 includes other routers, here routers an embodiment of the present invention. The method 152 
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provides a secured-access method for accessing a private IP 
network by a remote communication station. 

First, and as indicated by the block 154, a remote com- 
munication station identity is stored at the network infra- 
structure forming a wireless access network of a radio 5 
communication system. The remote communication station 
identity is stored together with authentication data associ- 
ated with the remote communication station. 

Then, and as indicated by the block 156, a request is 
generated by the remote communication station for request- 
ing access to the network infrastructure to permit commu- 
nication of data therethrough. 

The request is detected, as indicated by the block 158, at 
the network infrastructure. The remote communication sta- 
tion is authenticated, as indicated by the block 162, to 
confirm authorization of the remote communication station 
to communicate by way of the network infrastructure. 

Thereafter, an IP network-access request is forwarded to 
the private IP network, as indicated by the block 164. Then, 20 
as indicated by the block 166, a determination is made as to 
whether the remote communication station is permitted to 
access the private IP network. 

And, the remote communication station is permitted to 
access the private IP network if the remote communication 25 
station is determined to be permitted to access the network. 

During operation of an embodiment of the present inven- 
tion permits a wireless host to become a virtual host of a 
private IP network. A wireless host ident ity (WHI) is used as 
a host identifier in the private IP networlcrThe wireless host 3° 
need only authenticate itself at the private IP network when 
no contract for safe storage exists between the operators of 
the wireless access network and the private IP network, 
regarding security of, e.g., identification information. An 
authentication procedure confirms the authenticity of the 
structure transmitting the access request. Bandwidth 
required over the air interface to generate the request to 
access the private IP network is advantageously also reduced 
when transferring IP packets over the air interface as only 
air-interface-specific protocols are used to transfer IP pack- ^ 
ets over the air interface. 

The previous descriptions are of preferred examples for 
implementing the invention, and the scope of the invention 
should not necessarily be limited by this description. The 
scope of the present invention is defined by the following 
claims. 

What is claimed is: 

1. In a method for communicating data between a private 
data communication network and a remote communication 
station, the private data communication network coupled to 
network infrastructure of a radio communication system of 
which the remote communication station forms a portion, an 
improvement of a secured-access method of accessing the 
private data communication network by the remote commu- 
nication station, said method comprising the steps of: 
storing a remote communication station identity which 
identifies the remote communication station at the 
network infrastructure; 
generating a request by the remote communication station 
to access the network infrastructure to permit commu- 
nication of data therethrough; 
detecting at the network infrastructure the request gener- 
ated during said step of generating; 
authenticating the remote communication station to con- 65 
firm authorization of the remote communication station 
to communicate by way of the network infrastructure; 



346 

12 

the remote communication station identity stored together 
with authentication data associated with the remote 
communication station; 

forwarding a network-access request to the private data 

. communication network if the remote communication 
station is authenticated during said step of 
authenticating, the remote communication station iden- 
tified by the remote communication station identity 
stored during said step of storing; 

determining, responsive to the network-access request 
forwarded during said step of forwarding, whether the 
remote communication station is permitted to access 
the private data communication network; and 

permitting the remote communication station to access the 
private data communication network if the remote 
communication station is determined, during said step 
of determining, to be permitted to access the private 
data communication network. 

2. In a method for communicating data between a private 
IP (Internet Protocol) network and a remote communication 
station, the private IP network coupled to network infra- 
structure of a radio communication system of which the 
remote communication station forms a portion, an improve- 
ment of a secured-access method of accessing the private IP 
network by the remote conmiunication station, said method 
comprising the steps of: 

storing a remote communication station identity which 
identifies the remote commimication station at the 
network infrastructure; 

generating a request by the remote communication station 
to access the network infrastructure to permit commu- 
nication of data therethrough; 

detecting at the network infrastructure the request gener- 
ated during said step of generating; 

authenticating the remote communication station to con- 
firm authorization of the remote communication station 
to communicate by way of the network infrastructure; 

the remote communication station identity stored together 
with authentication data associated with the remote 
communication station; 

forwarding an IP network-access request to the private IP 
network if the remote communication station is authen- 
ticated during said step of authenticating, the remote 
communication station identified by the remote com- 
munication station identity stored during said step of 
storing; 

determining, responsive to the IP network-access request 
forwarded during said step of forwarding, whether the 
remote communication station is permitted to access 
the private IP network; and 

permitting the remote communication station to access the 
private IP network if the remote communication station 
is determined, during said step of determining, to be 
permitted to access the private IP network. 

3. The method of claim 2 wherein the remote communi- 
cation station comprises a wireless host coupled to a radio 
transceiver, the radio transceiver operable to communicate 
with the network infrastructure, and wherein said step of 
storing comprises storing a wireless host identity, the wire- 
less host identity associated with the wireless host. 

4. The method of claim 3 wherein the wireless host 
identity is stored at the wireless host. 

5. The method of claim 4 wherein the wireless host 
identity is stored at the radio transceiver. 

6. The method of claim 5 wherein the radio transceiver 
comprises a cellular mobile terminal operable in a cellular 
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communication system, the cellular mobile terminal having 
a memory card, and wherein the wireless host identity is 
stored at the memory card. 

7. The method of claim 2 wherein the radio communica- 
tion system comprises a cellular communication system, 
wherein the remote communication station comprises a 
wireless host coupled to a radio transceiver and wherein said 
step of generating the request comprises generating an attach 
request, the attach request for requesting attachment, by way 
of a radio link, of the radio transceiver with the network 
infrastructure of the cellular communication system by way 
of an air interface formed therebetween. 

8. The method of claim 2 wherein the radio communica- 
tion system comprises a cellular communication system, 
wherein the data communicated between the remote com- 
munication station and the private IP network comprises 
packet data, and wherein the request generated during said 
step of generating is provided to a router which routes packet 
data. 

9. The method of claim 8 wherein the cellular commu- 
nication system comprises a GSM communication system 
and wherein the router to which the request is provided 
comprises a SGSN (Servicing GPRS Support Node). 

10. The method of claim 2 wherein the radio communi- 
cation system comprises a cellular communication system, 
wherein the data communicated between the remote com- 
munication station and the private IP network comprises 
packet-switched data, and wherein the request generated 
during said step of generating is provided to a router by way 
of a circuit-switched circuit connection. 

U. The method of claim 10 wherein the cellular commu- 
nication system comprises a GSM communication system 
and wherein the router to which the request is provided 
comprises an MSC/VLR (Mobile Switching CenterA^isited 
Location Register). 

12. The method of claim 2 wherein said step of storing 
further comprises the step of storing a private IP network 
identity identifying the private IP network between which 
the data is communicated with the remote communication 
station. 

13. In a method for communicating data between a private 
IP (Internet Protocol) network and a remote communication 
station, the private IP network coupled to network infra- 
structure of a radio communication system of which the 
remote communication station forms a portion, an improve- 
ment of a secured-access method of accessing the private IP 
network by the remote communication station, said method 
comprising the steps of: 

storing a remote communication station identity which 
identifies the remote communication station at a storage 
location; 

generating a request by the remote communication station 
to access the network infrastructure to permit commu- 
nication of data therethrough; 

detecting at the network infrastructure the request gener- 
ated during said step of generating; 

authenticating the remote communication station to con- 
firm authorization of the remote communication station 
to communicate by way of the network infrastructure; 

forwarding an IP network-access request to the private IP 
network if the remote communication station is authen- 
ticated during said step of authenticating, the remote 
communication station identified by the remote com- 
munication station identity stored during said step of 
storing; 

determining, responsive to the IP network- access request 
forwarded during said step of forwarding, whether the 
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remote communication station is permitted to access 
the private IP network; and 

permitting the remote communication station to access the 
private IP network if the remote communication station 
is determined, during said step of determining, to be 
permitted to access the private IP network; 

wherein said step of storing further comprises the step of 
storing a private IP network identity identifying the 
private IP network between which the data is commu- 
nicated with the remote communication station; and 

wherein the IP network-access request forwarded during 
said step of forwarding is forwarded to the private IP 
network identified by the private IP network identity 
stored during said step of storing the private IP network 
identity. 

14. In a method for communicating data between a private 
IP (Internet Protocol) network and a remote communication 
station, the private IP network coupled to network infra- 
structure of a radio communication system of which the 
remote communication station forms a portion, an improve- 
ment of a secured-access method of accessing the private IP 
network by the remote communication station, said method 
comprising the steps of: 

storing a remote communication station identity which 
identifies the remote communication station at a storage 
location; 

generating a request by the remote communication station 
to access the network infrastmcture to permit commu- 
nication of data therethrough; 

detecting at the network infrastructure the request gener- 
ated during said step of generating; 

authenticating the remote communication station to con- 
firm authorization of the remote communication station 
to communicate by way of the network infrastructure; 

forwarding an IP network-access request to the private IP 
network if the remote communication station is authen- 
ticated during said step of authenticating, the remote 
communication station identified by the remote com- 
munication station identity stored during said step of 
storing; 

determining, responsive to the IP network-access request 
forwarded during said step of forwarding, whether the 
remote communication station is permitted to access 
the private IP network; and 

permitting the remote communication station to access the 
private IP network if the remote commimication station 
is determined, during said step of determining, to be 
permitted to access the private IP network; 

wherein said step of storing further comprises the step of 
storing a private IP network identity identifying the 
private IP network between which the data is commu- 
nicated with the remote communication station; and 

wherein said step of generating further comprises the step 
of generating a wireless-host-provided, IP network 
identity, the wireless-host-provided, IP network iden- 
tity identifying the private IP network between which 
the data is to be communicated with the remote com- 
munication station. 

15. The method of claim 14 wherein said step of gener- 
ating further comprises the step of generating a wireless- 
host-provided IP network identity, the wireless-host- 
provided IP network identity identifying the private IP 
network between which the data is to be communicated with 
the remote communication station; and 

wherein the IP network-access request forwarded during 
said step of forwarding is forwarded to the private IP 
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network identified by the wireless-host-provided IP 
network identity generated during said step of gener- 
ating. 

16. The method of claim 2 wherein the remote commu- 
nication station has associated therewith a default-IP net- 5 
work identity and wherein the IP network-access request 
forwarded during said step of forwarding is forwarded to the 
private IP network identified by the defauU-IP network 
identity. 

17. The method of claim 2 wherein said step of deter- lo 
mining further comprises the step of authenticating an 
access request to access the private IP network. 

18. The method of claim 2 wherein said step of deter- 
mining comprises the steps of: 

storing at the private IP network a list of remote commu- is 
nication station identities which identify remote com- 
munication stations permitted to access the private IP 
network; and 

comparing the remote communication station identity 
associated with the IP network-access request for- ^° 
warded during said step of forwarding with the remote 
communication station identities stored upon the list. 

19. The method of claim 18 comprising the further step of 
allocating an address to the remote communication station at 
the private IP network if the remote communication station 
is permitted access thereto, the address allocated to the 
remote communication station for addressing data commu- 
nicated by the private IP network to the remote communi- 
cation station. 

20. The method of claim 19 wherein the address allocated 
during said step of allocating comprises a temporary 
address, the temporary address identifying the remote com- 
munication station for a selected period. 

21. In a radio communication system having a wireless 
access network, a private data communication network 
coupled to the wireless access network, and a remote com- 
munication station operable selectively to communicate data 
with the private data communication network by way of the 
wireless access network, an improvement of apparatus for 
selectively permitting access to the private data communi- ^ 
cation network by the remote communication station, said 
apparatus comprising: 
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a storage element at the wireless access network for 
storing a remote communication station identity iden- 
tifying the remote communication station; 

a detector coupled to the wireless access network, said 
detector for detecting a request requesting access by the 
remote communication station to the wireless access 
network to permit communication of data therethrough; 

an authenticator coupled to the wireless access network, 
said authenticator for confirming authorization of the 
remote commimication station to commimicate by way 
of the wireless access network; 

the remote communication station identity stored together 
with authentication data associated with the remote 
communication station; 

a network access requester coupled to said authenticator, 
said network access requestor operable responsive to 
authentication by said authenticator, said network 
access requester for generating a request to request 
access to the private data communication network by 
the remote communication station, the remote commu- 
nication station identified in the request by the remote 
communication station identity stored in said storage 
element; and 

a determiner associated with the private IP network, said 
determiner operable responsive to the request requested 
by said network access requester to determine whether 
to permit access by the remote communication station 
to the private data communication network. 

22. The apparatus of claim 21 further comprising an 
address allocator associated with the private IP network, said 
address allocator for allocating an address to the remote 
communication station, the address allocated by said address 
allocator used to address data communicated to the remote 
communication station by the private IP network. 

23. The apparatus of claim 22 wherein said address 
allocator comprises a dynamic allocator for dynamically 
allocating a temporary IP address, the temporary IP address 
used to address the data communicated to the remote com- 
munication station for a selected period. 

24. The apparatus of claim 21 wherein said storage 
element further stores a private data communication address 
identifying the private data communication network. 
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